[phkahler]

>> As a side-effect, reproducible builds, which this technique breaks, are less of a concern anyway (because you've compiled your system from source).

Reproducible builds verify the source code and build process (including options) were the same. Not sure how important each aspect is.

Also, if for some reason you rebuild a dependency, you'll need to relink everything that depends on that. This could get messy, but it's still interesting.

[withinboredom]

Isn’t it impossible to have truly from-scratch reproducible builds? IIRC, you have to trust the compiler which can’t be built from scratch.

[ectopod]

You can bootstrap the compiler. It's a chore but not impossible. More usefully, you can check that your builds are identical to other people's, so at least your compiler isn't uniquely compromised.

[withinboredom]

I don’t think it’s possible since you’d need the original compilers from the 70’s and bootstrap other compilers up to a modern one. Otherwise your existing compiler could taint your new one.

[ectopod]

Many years ago I wrote a C compiler in assembly language. It wasn't hard, and C hasn't changed that much. The complexity in modern compilers is in the optimisation, which you don't need if you're bootstrapping. It's not impossible.

[withinboredom]

A pragmatic approach!

[chlorion]

There are people who spend time trying to solve this issue!

https://bootstrappable.org/

https://www.gnu.org/software/mes/

The idea here, is that if you can get a very basic C compiler, you can start building TinyCC, and eventually build a pre-C++ version of GCC, and from there build up to modern GCC. This is a lot easier said than done of course, but not quite as bad as needing the original compilers from the 70s!

[chithanh]

No, you only need two compilers that have not been subverted by the same adversary.

https://www.schneier.com/blog/archives/2006/01/countering_tr...

[withinboredom]

That’s a good point

[chameco]

It'd be a fun exercise to write a tiny Forth in machine code (sans assembler) and use it to write enough of a C compiler to build tcc, or something along those lines. From there I think you can chain old (but accessible) gcc versions up to modern gcc.

[londons_explore]

> You can bootstrap the compiler. It's a chore but not impossible.

And specifically, only one person needs to do this once... I'm surprised there isn't some project doing this...

[yjftsjthsd-h]

There is: https://savannah.nongnu.org/projects/stage0/

[Hydraulix989]

Why? If the dependencies are dynamically loaded libraries it shouldn't matter?

[cbrozefsky]

Control over the RNG seed, and tracking that seed as an 'input', would be a way to get reproducible builds while still having randomization.